LinkedIn's 117 Million Password Problem (And Yours)
Remember when LinkedIn got hacked back in 2012? The company said about 6.5 million passwords were stolen. Bad, but manageable. Change your password, move on.
Turns out that number was off. By about 110 million.
A hacker going by "Peace" is currently selling 117 million LinkedIn email and password combinations on a dark web marketplace for about $2,200 in Bitcoin. These aren't new accounts. They're from that same 2012 breach. LinkedIn just dramatically underestimated how bad it was, and the full dataset has been floating around criminal forums for four years.
If you had a LinkedIn account in 2012 (and most professionals did), your credentials might be on that list. That's worth about two minutes of your time to address. Here's why it matters more than you think.
Action item: Go change your LinkedIn password right now. If you use that same password anywhere else (email, banking, practice management software, anything), change those too. Don't finish this article first. Do it now. I'll wait.
The Password Reuse Problem
Here's the thing that makes this breach dangerous even four years later: people reuse passwords. A lot.
Studies consistently show that somewhere around 60-70% of people use the same password across multiple accounts. So when 117 million LinkedIn passwords leak, hackers don't just get access to LinkedIn. They get a master key they can try on every other service those people use.
Think about what's connected to the email address you used for LinkedIn:
- Your email account (personal and possibly work)
- Online banking
- Practice management software portals
- Insurance and benefits logins
- Cloud storage (Dropbox, Google Drive, OneDrive)
- Your patient portal or EHR system
If any of those share a password with your old LinkedIn account, you have a problem. And the criminals know this. "Credential stuffing," taking leaked passwords and automatically testing them on other services, is one of the most common and effective attack methods out there.
What This Means for Your Practice
Let's make this practical. You run a dental practice. You have team members who use LinkedIn to network with colleagues, connect with vendors, and stay current in the industry. Normal professional stuff.
Now imagine one of those team members used the same password for LinkedIn and for your practice management system. Or for their email, which is connected to your practice's network. That 2012 LinkedIn breach just became a 2016 practice security issue.
This isn't theoretical. We've seen it happen. A compromised email address leads to a phishing campaign that looks legitimate because it comes from a real account. Or a reused password gives an attacker direct access to systems they shouldn't be anywhere near.
The Fix: A Password Strategy That Actually Works
1. Stop Reusing Passwords. For Real This Time.
Every account gets its own password. I know that sounds impossible when you have 50+ accounts, but that's what password managers are for. Tools like LastPass, 1Password, or even the built-in ones in Chrome and Safari can generate and store unique passwords for every site. You remember one master password. The manager handles the rest.
2. Use a Password Manager for the Practice
This isn't just a personal thing. Your practice has shared accounts: the Dentrix support portal, your supply vendor logins, your IT management tools. A business password manager lets your team access what they need without sharing passwords on sticky notes or in spreadsheets. (Yes, we've seen the sticky notes on monitors. Please stop doing that.)
3. Turn on Two-Factor Authentication Everywhere
Even if a password gets stolen, two-factor authentication (2FA) means the attacker still can't get in without the second piece, usually a code sent to your phone. LinkedIn supports it. Gmail supports it. Most banking sites support it. If a service offers 2FA and you're not using it, you're leaving protection on the table.
4. Check if You've Been Breached
There's a free service called "Have I Been Pwned" (haveibeenpwned.com) run by a security researcher named Troy Hunt. Enter your email address and it'll tell you which breaches your credentials have appeared in. It's sobering, but better to know than not.
Why Breaches Keep Happening
LinkedIn stored those 117 million passwords using SHA1 hashing without proper salting. That's security jargon for "they used an outdated method that makes passwords easier to crack." A properly salted and hashed password would take years to crack. An unsalted SHA1 hash? Hours, with modern hardware.
The lesson isn't that LinkedIn was incompetent (though their initial response and underreporting of the breach isn't a great look). The lesson is that even major companies with dedicated security teams get this stuff wrong. Your data is only as safe as the weakest service you use it on.
That's why unique passwords matter. When (not if) a service gets breached, the damage is contained to that one account.
Need Help Securing Your Practice's Passwords?
We help practices set up password managers, implement two-factor authentication, and create security policies that actually stick. It's simpler than you think.
Let's TalkBottom Line
117 million passwords from 2012 are now for sale in 2016. If you haven't changed your LinkedIn password since then, do it today. If you've used that same password anywhere else, change those too. And while you're at it, get a password manager and start doing this right.
The LinkedIn breach isn't the last breach. It's not even the biggest breach. But it's a useful reminder that password security isn't someone else's problem. It's yours.